Terms of Service
These Terms of Service (“Terms”) apply to use of the Rizkly Application and related Services (“Services”) and will be binding on you (“Customer”) and Rizkly, LLC (“Company”) when Company makes any Services available for Customer’s use. By using the Services, you automatically agree to these Terms of Service. If you use or access the Services on behalf of a company or other legal entity (such as your employer), you represent that you have the authority to bind that company or other legal entity to these Terms. If you do not agree to these Terms of Service, you should not use the Service.
1. Services; Advisory Services.
1.1 Subject to Customer’s compliance with the terms and conditions of these Terms, Company will provide Customer the Services in accordance with Customer’s order which is executed by both parties or placed online (“Order”).
1.2 Customer shall be responsible for: (a) acts or omissions by any single individual, employee or contractor of Customer, authorized to access and use the Services (“Authorized Users”); (b) maintaining the confidentiality of access credentials (including but not limited to usernames, passwords, and keys) used by the Customer or its Authorized Users; (c) ensuring compliance with the terms of Customer’s Order, these Terms and any further policies or documents incorporated into the Order by each Authorized User including compliance with the restrictions on use included in these Terms and (d) ensuring compliance with applicable local, state, national laws and regulations in connection with the use of the Services, including those related to data privacy, international communications and the transmission of data. In particular, the Services shall not be used by anyone located in U.S.-embargoed countries or on the U.S. Treasury Department’s list of Specially Designated Nationals or the U.S. Department of Commerce’s Denied Persons or Entity List or to export or re-export technical data in violation of U.S. export control laws and regulations. Customer agrees to notify Company immediately of any actual or suspected unauthorized use of Customer’s access credentials or any unauthorized use of the Services.
1.3 Company reserves the right to modify the Services at any time. Company may provide notice of changes by posting information concerning the change (i) via email; (ii) on Company’s website (iii) by notification directly through the Services (e.g., on a Services login page); or (iv) by other industry standard notification system such as social media. Should Company implement a change that reduces the functionality of the Service in a material manner, Company will issue a notification summarizing the effects of such a change. If Customer has established an account with Company and subsequently makes changes to the account, it may affect the Service provided.
1.4 If Customer’s account fails to meet the requirements of the Service, Company may take all reasonable remedial measures at its sole discretion, including the suspension of access to or deletion of files and/or Spaces. Additionally, Company may suspend or terminate Customer’s free access to the Service or paid subscription if Customer’s usage, in Company’s reasonable opinion, does not comply with the features, benefits and restrictions that are applicable at that time or causes interference with the normal functioning of the Service. In addition, Company may suspend the Services without notice and without liability to Company (a) if Company is required by law; (b) Customer violates these Terms and such violation may result in material harm; or (c) in accordance with the Term and Termination section or the Fees and Payment section.
1.5 Some of the features of the Service or Company Software are designed to upload files identified by Customer to the Service or download files from the Service onto Customer’s computer or other device. By using the Service, Customer grants Company permission to access Customer’s computer or other devices in connection with the Service.
1.6 Company may provide or permit Customer to download or access the Rizkly Application or other software applications for use with the Service (“Company Software”). Company Software may include development software and tools, and software to be installed on end user devices for the purpose of using the Services. Subject to Customer’s compliance with these Terms, Company grants Customer a limited non-exclusive, non-transferable, non-sublicensable license to download and install a copy of each application on a tablet, mobile device or computer that it owns or controls, and to run such copy of the Company Software solely for its own personal for the sole purpose of facilitating Customer’s use of the Service. When Customer’s right to receive and use the Services terminates, Customer’s license to Company Software shall also terminate. Any additional license terms notified to Customer or its Authorized User at the time of installation of the Company Software or for Company Software accessed through or downloaded from third parties shall also apply, Customer shall be solely responsible for complying therewith and Company disavows any liability pertaining to any third party applications, including the performance thereof. Customer (a) does not have any rights to any software other than as part of receiving the Services; (b) except with respect to Company Software, does not receive any licenses to the Software; and (c) does not receive any title, rights or ownership in or to any software.
1.7 Advisory Services.
1. Company may offer advisory services in connection with the Service. Advisory service allocations shall be as set forth in an applicable Order. Advisory service fees are non-refundable. Customer is responsible for tracking its use of assigned advisory service hours during the applicable month or other advisory service term.
2. Advisory service allocations for a particular month or service term must be used, if at all, during the allocation period. Advisory service hours cannot be carried over to a subsequent month or other applicable advisory service period. Advisory service hours not used by the end of the month or other applicable Service term shall expire. Use of advisory services time in excess of the advisory service allocation set forth in an order shall be subject to additional charges at the applicable hourly rate for the advisor.
3. Use of advisory services must be scheduled with Customer’s assigned Service advisor. Advisory service response time shall be subject to the availability of the assigned advisor. If you are unable to reach your advisor, please contact Rizkly support.
2. Term and Termination.
2.1 Term and Renewal. The term of the Service shall be determined based on the subscription purchased by Customer under an Order. Except as otherwise provided in an Order, Service subscriptions will automatically renew at the end of the initial term under an Order for additional 12-month renewal terms, unless either party gives the other party notice of non-renewal at least 30 days prior to the end of the relevant subscription period. A free or trial subscription shall not have a predefined term, and Company reserves the right to terminate it at any time.
2.2 Termination. Company or Customer may terminate the Services in the event of a material breach of the these Terms by the other party, if such breach is not cured within thirty (30) days of written notice by the non-breaching party. Customer also has the option of canceling your subscription at any time by giving thirty (30) days’ written notice. Company may terminate the Services with immediate effect and no such cure period will be granted for breaches relating to the rights granted and/or restrictions in Sections 1 (Services) or Section 4 (Restrictions on Use). Cancellation of a Service Order by Customer shall not entitle Customer to any refund of prepaid Service fees.
2.3 Effect of Termination. Upon any termination or expiration of the Service: (a) the rights and licenses granted to Customer hereunder will automatically terminate and (b) all data associated with a Customer’s subscription will be deleted. Upon any termination of the Service or these Terms, Customer will immediately cease all use of the Services and Company Software and will destroy all copies of Company Software in Customer’s possession or control. Following termination, Company may retain Customer content on backup media for an additional period of up to twelve (12) months, or longer if required by law, subject to the confidentiality obligations under these Terms. In the event of termination, any data Customer may have stored will be lost Customer is solely responsible for implementing appropriate measures to periodically backup data related to its subscription.
2.4 Survival. The provisions of Sections 1.2, 3, 5, 6, 7.3, 7.6 and 8 and any provisions that by their nature should survive termination will survive any termination or expiration of the Services or these Terms.
3. Fees and Payment.
3.1 Company may offer both trial subscriptions and different categories of paid subscriptions to the Service, subject to the limits set by Company from time to time. Should Customer register for a paid subscription, you agree to pay the Service fee(s) specified in your Order or publicized by the Company at the time you complete your online registration and on any renewal thereof. Customer shall pay Company for excess usage above the metrics stated in the initial Order. After the initial term of Customer’s subscription, Company reserves the right to increase the fees on paid Service subscriptions up to one (1) time per year by providing Customer with written notice of a fee increase no later than thirty (30) days prior to the expiration of the then-current term.
3.2 Fees owed by Customer not paid when due shall accrue interest at the lesser of one and one-half percent (1.5%) per month, or the highest rate permitted by law. Fees do not include any taxes, and Customer shall pay any sales, use, value added or other taxes or import duties (other than corporate income taxes payable by Company) due as a result of any amounts paid to Company. Customer shall bear all of Company’s costs of collection of overdue fees, including reasonable attorneys’ fees. If Company is unable to charge your payment method (i.e. due to the expiration of your credit card), you are still obliged to pay Company the amounts to which you are committed under your Order and these Terms. All fees are non-refundable, and are to be paid in US Dollars unless another currency was specified when you made your purchase. You are solely responsible for any fees imposed by your credit card company, including exchange rate or foreign transaction fees. If any fees remain unpaid following at least ten (10) days written notice by Company, Company may (reserving all other legal remedies and rights) suspend the Services or, following thirty (30) days written notice by Company, terminate the Service and any agreement created by these Terms and Customer’s Order.
4. Customer Obligations
4.1 Use of the Service. Customer, paid subscription customers or trial customers, may only use the Services for Customer’s internal business purposes. Only Authorized Users may access and use the Services. Customer may not: (a) use the Rizkly Application, regulatory guidance or compliance checklists except in connection with Customer’s use of the Service. (b) sell, rent or lease the Services or share with third parties the Rizkly Application, regulatory guidance, compliance checklists or any other Company Software in any way, or transfer any of its rights hereunder to any other person; (c) create any derivative works based upon the Company Software or the Services; (d) modify any of Services (including Company Software), nor adapt, translate, reverse engineer, decompile, disassemble, or otherwise attempt to discover the source code of software used by Company in providing the Services, nor take any other steps to discover the confidential information or trade secrets in the Services; (e) create multiple, free accounts under different or fake identities or otherwise that enables Customer to exceed the usage limits associated with the Service or (f) disclose to any third party the results of any benchmarking testing or comparative or competitive analyses of the Services done by or on behalf of Customer.
4.2 Additional Restrictions. Customer may not and will not permit any Authorized User to do any of the following:
(i) engage in activity that harms or disrupts the operation or performance of the Services;
(ii) misrepresent your identity, impersonate any person or attempt to gain access to or illegally track any account, user, data, device, system, or network related to the Services;
(iii) use or manipulate the Services in any manner not permitted by Company;
(iv) use the Services in a manner that results in excessive bandwidth usage, as determined by Company;
(v) use the Services for any illegal purpose, or to publish, post, share, copy, store, backup or distribute any illegal files or data, including infringing, obscene, threatening, libelous, or otherwise unlawful or tortious material, including material that is harmful to children or that violates third party privacy rights;
(v) circumvent user authentication or security of any host, network or account, including, but not limited to, accessing data not intended for you, logging into or making use of a server or account you are not expressly authorized to access
(vii) use the Services to publish, post, share, copy, store, backup or distribute material protected by intellectual property rights of a third party unless you own or have necessary rights to such material;
(viii) use the Services to publish, post, share, copy, store, backup or distribute material that contains viruses, worms, time bombs, Trojan horses and other harmful or malicious code, files, scripts, agents or any other similar software that may damage the operation of the Services or another person’s device or property;
(ix) engage in online activities that would encourage other parties to cause damage to the Services;
(x) alter or modify any disabling mechanism, which may be included in Services, including tampering with the security of the Services or tamper with other customer accounts of Company;
(xi) remove or alter any proprietary notices (e.g., copyright, trademark notices, legends, etc.) from the Services or copy any ideas, features, functions, or graphics of the Services;
(xii) build or assist someone else to build a competitive solution using similar ideas, features, functions, or graphics of the Service, or allow any person or entity that offers or provides services that are competitive to or with Company’s products and/or services to use or access the Services, or encourage any Customer to patronize a service that competes with the Services;
(xiii) attempt to probe, scan or test the vulnerability of the Services or to breach the security or authentication measures without proper authorization; or
(xiv) Use the Services in furtherance of or in connection with any activity that violates applicable laws and regulations: (i) relating to export restrictions, administered by the U.S. Department of Commerce Bureau of Industry and Security; (ii) relating to arms and defense weapons, administered by the U.S. Department of State’s Directorate of Defense Trade Controls; or (iii) relating to economic and trade sanctions imposed by the U.S. Department of Treasury Office of Foreign Asset Control.
5. Warranties and Disclaimers.
Use of the services and company software are provided “as is” without express or implied warranties or conditions of any kind. The warranties and remedies stated in this section 5 are exclusive. Company expressly disclaims the currency and accuracy of the regulatory framework and checklists. Company shall not be liable for losses or damages incurred by customer as a result of compliance related issues as a result of customer’s reliance on the regulatory framework or checklists included in the Rizkly application or other company software.
To the maximum extent permitted by applicable law, company disclaims all other warranties and conditions, including without limitation any implied warranties of merchantability or of fitness for a particular purpose or those arising by law, statute, usage of trade or course of dealing. Company does not warrant that the services will be error free or will operate without interruption. Customer assumes the responsibility to take adequate precautions against damages to its operations which could be caused by services defects, interruptions, or malfunctions.
6. Limitation on Liability; Indemnification.
6.1 Limitation of Liability. In regard to any and all causes arising out of or relating to the services or these terms or inability to use the service or for any error or defect in the service, including but not limited to claims of negligence, breach of contract or warranty, failure of a remedy to accomplish its essential purpose or otherwise: (1) company is not liable to customer or to any other party for: (a) any indirect, incidental, special, consequential, aggravated, exemplary, or punitive damages (even if company is advised in advance of the possibility of the damages); or (b) any lost sales, lost revenue, lost profits, lost or corrupted data, reprocurement amount or expenses arising out of third party claims; and (2) company’s aggregate liability for any and all claims will not exceed a maximum aggregate amount of the total amount of fees invoiced by company to customer during the twelve (12) months preceding the most recent event which is the cause of liability for all claims during the entire term of any order. With respect to trial or unpaid services and company software, if the application of this section is limited by law, company’s liability will be limited to the extent permitted by law. The remedies specified in these terms are exclusive.
6.2 Customer Indemnity. Customer agrees to defend, indemnify, and hold Company and its officers, directors, employees, consultants, and agents harmless from and against any and all damages, costs, liabilities, expenses (including, without limitation, reasonable attorneys’ fees), and settlement amounts incurred in connection with any claim arising from or relating to Customer’s: (i) Customer’s or Authorized Users’ use of the Services, (ii) Customer’s or Authorized Users’ actual or alleged use of the Services in violation of these Terms or applicable law; (iii) any actual or alleged infringement or misappropriation of patent, copyright, trade secret, right of publicity or privacy, or other proprietary right from data provided to Company by Customer or otherwise input into the Service, whether by the Customer, an Authorized User or otherwise;,and/or (iv) any violation by Customer or its Authorized Users of any terms, conditions, agreements or policies of any third party.
7. Ownership; Customer Data; Security.
7.1 Services. Customer acknowledges and agrees that, as between the parties, Company alone owns all right, title, and interest in and to the Service, the Rizkly Application and other Company Software, including all intellectual property rights therein, even if Company incorporates any Customer Feedback into subsequent versions of the Service. Customer will not earn or acquire any rights or licenses in the Service or in any Company intellectual property rights on account of Company’s provision of Customer’s or its Authorized Users’ use of the Services.
7.2 Feedback. Customer may periodically provide Company with suggestions or other feedback. Unless otherwise expressly agreed by Company in writing, all feedback, comments, and suggestions for improvements, corrections, and other contributions provided by Customer regarding the Service or other Company materials (collectively, “Feedback”) will be owned by Company. Customer hereby irrevocably transfers and assigns to Company and agrees to irrevocably assign and transfer to Company all of Customer’s right, title, and interest in and to all feedback. Nothing in these Terms will preclude Company from using in any manner or for any purpose it deems necessary, the know-how, techniques, or procedures acquired or used by Company in the performance of services hereunder.
7.3 Customer Data. Customer’s content, data and information uploaded, generated, stored, or transmitted by Customer to Company, as a part of Customer’s use of the Services belongs to Customer, and Company makes no claim to any right of ownership in such content, data or information. By posting or permitting its content, data or information to be posted, Customer represents and warrants to Company that Customer is the owner of all rights to such content, data or information or that Customer has the right to reproduce, distribute and transfer the such content, data or information for the purposes of the Services. Customer remains solely responsible at all times for its content, data or information, and for ensuring it complies with these Terms and with all legal and regulatory obligations applicable to the such content, data or information or to which Customer is subject. To the extent necessary for Company to perform its obligations in connection with the Services and these Terms, Customer grants Company the right to use, copy, process, rename, publish or display its content, data or information and Company may monitor, modify, screen, pre-screen or delete such content, data or information.
7.4 Copyright. Company respects copyright law and expects its users to do the same. Company reserves the right, in its sole discretion, at any time and without prior notice, to remove or disable access to any files or accounts that we believe to be in violation of these Terms or otherwise harmful.
7.5 Security. Company will use reasonable care to protect Customer’s data against physical damage or unauthorized access. Company will store and safeguard Customer content in accordance with industry standard administrative, technical, and physical security controls and procedures. Customer may not create or store content that imposes specific security obligations on Company (e.g., health or financial data). Customer is solely responsible for maintaining and protecting all data and information that is stored, retrieved or otherwise processed by the Service. Without limiting the foregoing, Customer will be responsible for all costs and expenses that Customer or others may incur with respect to backing up and restoring and/or recreating any data and information that is lost or corrupted as a result of Customer’s use of the Service or any Company Software.
7.6 Confidentiality. Confidential Information may only be used for the purpose of fulfilling obligations or exercising rights under these Terms and may only be shared with employees, agents, or contractors with a need to know such information. The receiving party will maintain the confidentiality of Confidential Information by using the same degree of care that the receiving party takes to hold in confidence its own proprietary information of a similar nature, which will be no less than reasonable care. However, the receiving party will not be required to keep confidential any Confidential Information, which is or shall become publicly available without fault on the part of the receiving party; is already in the receiving party’s possession prior to receipt from the disclosing party; is independently developed by the receiving party; is disclosed by the disclosing party to third parties without similar restrictions; or is rightfully obtained by the receiving party from third parties without restriction. Except as provided in the previous sentence, the term “Confidential Information” includes Customer Content, Company Software and all other information disclosed by one party to the other marked as proprietary to the disclosing party or that the other party should reasonably understand to be confidential. Each party is responsible for any actions of its affiliates, employees and agents in violation of this paragraph.
8. General Provisions.
8.1 Assignment. There are no third-party beneficiaries to Customer’s use of the Services or these Terms. Customer may not assign or transfer its rights to use the Service or its rights or obligations under these Terms, in whole or in part, by operation of law or otherwise, without the prior written consent of Company. Any attempted assignment without such consent will be void. Except to the extent identified in this subsection, these Terms will be binding upon and inure to the benefit of the respective successors and assigns of the parties.
8.2 Governing Law; Time Limit. These Terms will be governed by and construed in accordance with the laws of the State of Delaware, USA, without reference to its choice or conflicts of law rules. The parties consent to the exercise of exclusive jurisdiction by the state or federal courts in the State of Delaware for any claim relating to the Services or these Terms. No action, regardless of form, arising from these Terms or any Services provided or to be provided hereunder may be brought by either party more than one (1) year after the cause of action has accrued, except that an action for non-payment may be brought at any time.
8.3 Publicity. Company may: (i) include the Customer’s name in its customer directory or user lists on its website or marketing materials; and/or (ii) make such other use of the Customer’s name and/or logo as may be agreed between the parties. Company shall comply with Customer’s trademark use guidelines as such are communicated to the Company in writing. Rizkly shall not identify Customer in any press release or other public announcement without Customer’s prior written consent.
8.4 Severability. If any provision of these Terms is held by a court of competent jurisdiction to be contrary to law, the provision shall be modified by the court and interpreted so as best to accomplish the objectives of the original provision to the fullest extent permitted by law, and the remaining provisions of these Terms shall remain in effect.
8.5 Amendment; Waiver. Any amendment of the agreement formed under these Terms must be in writing and signed or acknowledged by both parties. Neither party will be deemed to have waived any of its rights under these Terms by lapse of time or by any statement or representation other than by a written waiver by a duly authorized representative. No waiver of a breach of these Terms will constitute a waiver of any prior or subsequent breach.
8.6 Notices. All notices must be in writing and addressed: in the case of Company to the address set forth in the Customer’s Order, and in the case of Customer, to the address set forth in the Order. Notice will be deemed given when verified by written receipt if sent by personal courier, overnight courier, or when received if sent by mail without verification of receipt.
8.7 Entire Agreement. These Terms and Customer’s Order constitute the entire and exclusive agreement between the parties pertaining to the subject matter hereof, and supersedes any prior or current understandings, both written and oral. These Terms may be modified by Company from time to time. Company shall provide advance written notice to Customer either via a posting on Company’s website or through Customer’s account. For paid subscriptions, the new terms shall come into force only upon the beginning of a renewal term, and for free subscriptions, the new terms shall be enforceable immediately. Should a free subscription Customer not agree with the amended terms, it should immediately cease usage of the Service, and should a paid subscription Customer not agree with the amended terms, it has the right to terminate its Order at the end of its then current term (i.e. before a renewal term commences), in accordance with the termination provisions set forth above. Customer’s continued usage of the Service following the date the amended terms come into force shall be evidence of Customer’s agreement to the amended terms (and the amended terms thereafter shall become the “Terms,” as used herein).
8.8 No Agency. Company does not act as an agent of Customer in connection with Customer’s use of the Services provided hereunder. The establishment of the terms of any commercial or legal relationship between Customer and any third party by means of the use of the Services provided hereunder is the sole responsibility of Customer.
8.9 U.S. Government End Users – Restricted Rights Legend. The Services, documentation and Company Software provided to the U.S. Government are “Commercial Items”, as that term is defined at 48 C.F.R. 2.101, consisting of “Commercial Computer Software” and “Commercial Computer Software Documentation”, within the meaning of 48 C.F.R. 12.212 or 48 C.F.R.227.7202, as applicable. Consistent with 48 C.F.R. 12.212 or 48 C.F.R. 227.7202-1 through 227.7202-4, as applicable, the Commercial Computer Software and Commercial Computer Software Documentation are being licensed to U.S. Government end users (a) only as Commercial Items and (b) with only those rights as are granted to all other end users pursuant to the terms and conditions herein, as provided in FAR 12.212, and DFARS 227.7202-1(a), 227.7202-3(a), 227.7202-4, as applicable.
8.10 Delay in Performance. Except for payment and confidentiality obligations or protection of intellectual property, neither party is responsible for any delay or failure or delay in performance of its obligations pursuant to these Terms or any Order to the extent due to causes beyond its reasonable control.
Changes to Rizkly’s Terms of Service
We reserve the right to modify these Terms of Service at any time, so please review it periodically. Your continued use of Rizkly’s products, services or websites or communication with Rizkly advisors constitutes your agreement to these Terms of Service and any updates.
Contacting Us
If you have questions or concerns, please contact Rizkly at: rizklysupport@rizkly.com or 12110 Sunset Hills Road Suite 600 Reston, VA 20190 USA.
Effective as of March 31, 2020
Questions about FedRAMP, OSCAL and where you stand?
We will give you a call to discuss your needs and demonstrate why Rizkly is the right model for FedRAMP success.
Under 50 employees? Register for our CMMC Starter package.
Specially priced for small businesses that need to address 800-171 and SPRS scoring now and CMMC later.
By Chor-Ching Fan
FedRAMP automation is on its way. The Open Security Controls Assessment Language (OSCAL) is a machine-readable information exchange format developed by the National Institute of Standards and Technology (NIST) to enable automation of risk management and compliance frameworks based on security controls and functional requirements. OSCAL support the expression of compliance information through XML, JSON and YAML formats. OSCAL was released in June 2021 and is currently in Version 1.1.0 (late July 2023)
The FedRAMP cybersecurity management program is the first key adopter of the OSCAL standard. OSCAL promises to enable FedRAMP automation (and other frameworks that adopt it) improving the efficiency and effectiveness of compliance management by providing a standardized, machine-readable format for capturing and sharing security information. OSCAL automation has the ability to simplify many of the manual tasks involved in compliance including:
- Generating security documentation
- Assessment plan and results evaluation
- Tracking remediation activities
- Reporting on compliance status
OSCAL can be used to support a wide range of compliance frameworks, including:
- FedRAMP (early adoption in progress)
- NIST Cybersecurity Framework (CSF)
- ISO/IEC 27001
- SOC 2
- HIPAA
- PCI DSS
FedRAMP automation with OSCAL promises to be significant improvement over previous approaches to compliance automation. As proven by similar information exchange automation initiatives in other industries i.e. ecommerce supply chain documents or financial filing with the SEC, OSCAL should make compliance management be more efficient, more effective, and more scalable.
Here are some of the benefits of using the new OSCAL compliance framework:
- Efficiency: OSCAL automation will reduce manual tasks involved in compliance, such as generating security documentation, conducting assessments, and tracking remediation activities. This can save organizations a significant amount of time and money. FedRAMP SSPs can easily run 300+ pages in Microsoft Word. With continual updates and document submissions to the FedRAMP PMO, this task alone will benefit greatly from OSCAL.
- Effectiveness: OSCAL provides a standardized, machine-readable format for capturing and sharing security information. This makes it easier to identify, evaluate and determine next steps to remediate key risks for the US government and cloud service providers.
- Scalability & Extensibility: OSCAL is a scalable framework that can be used to support a wide range of compliance frameworks. OSCAL is extensible so any user or standards body can leverage the reference models while ensuring it supports the unique elements of their own privacy and security risk program.
Since its 1.0 release in 2021, Rizkly has supported the OSCAL standard with the goal of providing the best software for FedRAMP automation. We love OSCAL and think its great for the cybersecurity compliance world. Companies (CSPs) can import their existing Word SSPs and generate OSCAL with one-click in Rizkly. It will not be practical for most organizations to use XML editors and handcraft OSCAL files each time there are updates or submission requirements. While still in a pre-commercialization status for FedRAMP, we recommend that CSPs explore the transition to OSCAL along with their FedRAMP R4 to R5 gap analysis and planning efforts. If you’re wondering about a FedRAMP R4 vs R5 gap analysis, Rizkly, compliance automation software with dedicated FedRAMP OSCAL compliance experts, is ready to assist…just contact us.
By Chor-Ching Fan
As organizations chart their growth through government contracts and assess the cost of cybersecurity compliance initiatives, many wonder “what’s the the difference between CMMC and FedRAMP”? The Cybersecurity Maturity Model Certification (CMMC) and the Federal Risk and Authorization Management Program (FedRAMP) are two different compliance frameworks that organizations must follow if they want to work with the US government.
CMMC is a comprehensive framework designed to protect the defense industrial base’s (DIB) sensitive unclassified information. While it started with five levels of maturity, the latest version of the CMMC 2.0 framework includes 3 levels and tracks very closely with the NIST 800-171 control framework. All DoD contractors will need to achieve at least Level 1 (based on the sensitivity level of the information handled by the contractor) in order to keep and/or win new work with the DoD
FedRAMP is a cybersecurity framework that focuses on the security of cloud service providers (CSPs) doing business with the US federal government. There are two approaches to achieving FedRAMP Authorization, a provisional authorization through the Joint Authorization Board (JAB) or an authorization through a specific government agency sponsor. The JAB is the primary governing body for FedRAMP and includes representation from the Department of Defense (DoD), Department of Homeland Security (DHS), and General Services Administration (GSA). There are four different control baselines that support the different FedRAMP authorization impact levels.
CMMC | FedRAMP | |
---|---|---|
Purpose | Assesses and enhance the cybersecurity maturity of all contractors working with the DoD | Focuses on the security of cloud service providers serving federal agencies |
Certification/Authorization Levels | 3 | 4 |
Minimum Level Required for Work Contracts | Level 1 (once CMMC is finalized) | Authorized at applicable impact level |
Levels and Control Scope |
|
|
Applicability | Applies to all contractors that work with the DoD | Applies to cloud service providers (CSPs) that work with US government agencies |
CMMC vs FedRAMP
CSPs must achieve Authorized status in order to provide services to US government agencies. Soon, DoD contractors will need to achieve at least CMMC Level 1 status before winning new contracts.
In general, FedRAMP is a more comprehensive framework than CMMC. FedRAMP requires organizations to enhance process maturity and capabilities across a wider range of topics dealing with data, network, staff, physical building and vendor security. Here are additional considerations to keep in mind regarding CMMC and FedRAMP compliance:
- CMMC has been in development for the past few years and is now (2023) nearing finalization.
- FedRAMP is a mature framework (based on NIST 800-53) that has been in place for over a decade (2011). We view it as the high bar for cloud cybersecurity compliance.
- Both CMMC and FedRAMP are constantly evolving. The DoD, FedRAMP PMO and NIST are constantly updating the requirements to reflect the latest cybersecurity threats.
- Compliance with CMMC and FedRAMP can be a complex and expensive process, especially for SMBs. Rizkly helps SMBs consider their needs and regulatory requirements and offers an effective and efficient solution for achieving and sustaining improved cybersecurity posture and compliance.
Rizkly experts will advise, guide and review hardware and software technology changes to ensure that they address specific compliance controls but we do not perform the actual implementation work. Over the years, we have a developed a trusted ecosystem of partners who offer effective and affordable solutions to expedite remediation of security and compliance gaps. We will gladly refer you to appropriate partners if and when the need arises. Creating policies, procedures and other artifacts are also a key part of compliance remediation efforts and these are activities that our advisors do perform using powerful Rizkly features for policies and procedures.
Rizkly cybersecurity compliance advisors will work with you through the entire lifecycle of your compliance initiative. We will scale up/down depending on specific need, and we co-create our involvement in the early stages of the project. Typical project activities include:
- Gain an understanding of your business, your clients, your system(s), and your anticipated compliance requirements
- Educate your team members on compliance requirements, how to leverage the Rizkly app and what will be expected throughout the effort
- Develop the system ‘boundary’, and what will be in scope for compliance purposes
- Draft a system architecture diagram that clearly depicts the system boundary
- Review existing documentation and work with your team members to understand system and process specifics
- Perform a high level gap assessment to determine what controls are in place and operating effectively, and where there are gaps
- For each gap determine a detailed plan of action to remediate
- Collaborate as needed with personnel (staff and/or your vendors) during remediation.
- Provide advisory support, develop documentation, design controls, review evidence, audit prep, etc.
- Ensure that all artifacts and control implementation statements are effectively captured in Rizkly
- Educate your team on how to leverage Rizkly to generate audit-ready documentation such as SSPs, POAM reports and SPRS scoring
- Post-remediation ensure that all controls are in place and operating effectively